Golang Snippet #10
This challenge covers the review of a snippet of code written in Golang
In this lab, we examine a piece of Golang code that handles HTTP requests and serves files based on URL parameters. The main function sets up an HTTP server listening on port 8080, mapping requests to the handler function. The handler function attempts to open a file specified by a URL parameter, clean the path, and serve the file's contents.
The vulnerability lies in the use of path.Clean to sanitize the file path. While path.Clean simplifies paths by removing relative path segments like ./, it does not entirely mitigate directory traversal attacks. An attacker can exploit this by using paths like ../../etc/passwd to access sensitive files outside the intended directory, as path.Clean does not remove leading ../ segments unless prefixed by a /.